Skip to main content

FreeRDP CVE-2026-40033

| EUVDEUVD-2026-31830 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-05-26 VulnCheck GHSA-xmr8-h8p4-932m
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 10:00 vuln.today
Analysis Generated
Jun 08, 2026 - 10:00 vuln.today
CVSS changed
May 26, 2026 - 15:22 NVD
8.8 (HIGH) 8.7 (HIGH)

DescriptionCVE.org

FreeRDP before 3.26.0 contains a heap-buffer-overflow vulnerability in gdi_CacheToSurface that allows remote attackers to write out-of-bounds heap memory. The vulnerability occurs because rectangle validation clamps coordinates to UINT16_MAX but performs copy operations using unclamped cache entry dimensions, enabling malicious RDP servers to trigger large out-of-bounds writes and potentially achieve remote code execution or client crash.

AnalysisAI

Heap buffer overflow in FreeRDP versions prior to 3.26.0 allows a malicious RDP server to write out-of-bounds heap memory on connecting clients through the gdi_CacheToSurface function, potentially leading to remote code execution or client crash. The flaw stems from inconsistent rectangle validation where coordinates are clamped to UINT16_MAX but copy operations use unclamped cache entry dimensions. Publicly available exploit code exists per SSVC, though EPSS exploitation probability remains low at 0.06%.

Technical ContextAI

FreeRDP is a widely deployed open-source implementation of the Microsoft Remote Desktop Protocol (RDP), used by Linux remote desktop clients, virtualization tools, and downstream distributions including SUSE. The vulnerability is classified as CWE-122 (Heap-based Buffer Overflow) and lives in the GDI (Graphics Device Interface) caching path - specifically gdi_CacheToSurface, which copies bitmap cache entries into surface bitmaps during RDP screen drawing. The validation logic clamps source rectangle coordinates to UINT16_MAX to look safe, but the subsequent memcpy/blit uses the cache entry's own width and height fields, which remain attacker-controlled. A hostile RDP server can craft cache update messages whose declared dimensions overshoot the destination surface bounds, producing large heap out-of-bounds writes on the client side.

RemediationAI

Vendor-released patch: FreeRDP 3.26.0 - upgrade all FreeRDP client installations and any embedding applications (Remmina, GNOME Connections, xfreerdp/wlfreerdp builds) to this version or later, with the fix tracked in commit 23b36cd00ebf0ccd97750fcdbc9aa2f362352da7 and the advisory at https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6r2-4hgm-m6ff. SUSE and other Linux distributors will ship backported package updates; apply distribution updates as they become available rather than waiting for a major version bump. Where immediate patching is not possible, restrict outbound RDP (TCP/3389 and UDP/3389) at egress firewalls so endpoints cannot connect to arbitrary external RDP servers, accepting the trade-off that legitimate remote-to-external-host RDP use cases will be blocked, and instruct users not to initiate RDP sessions to untrusted hosts or click .rdp files from untrusted sources since the attack requires the client to connect to a malicious server.

CVE-2026-25997 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_clipboard_format_equal before 3.23.0. Clipboard format comparison uses freed memory. Fifth

CVE-2026-25953 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Surface-to-window update triggers memory corrupti

CVE-2026-25952 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_SetWindowMinMaxInfo before version 3.23.0. X11 client window management triggers memory cor

CVE-2026-25959 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_cliprdr_provide_data clipboard handling before 3.23.0. Clipboard data exchange triggers mem

CVE-2026-22857 CRITICAL POC
9.8 Jan 14

FreeRDP IRP thread handler has a use-after-free where the IRP is freed by Complete() then accessed on the error path. Fi

CVE-2026-22854 CRITICAL POC
9.8 Jan 14

FreeRDP drive read heap overflow when server-controlled read length exceeds IRP output buffer. Fixed in 3.20.1. PoC avai

CVE-2026-22852 CRITICAL POC
9.8 Jan 14

FreeRDP client before 3.20.1 has a heap buffer overflow in AUDIN format processing. A malicious RDP server can corrupt m

CVE-2026-25955 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Different code path from CVE-2026-25953. PoC and

CVE-2024-32041 CRITICAL POC
9.8 Apr 22

FreeRDP is a free implementation of the Remote Desktop Protocol. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2023-40574 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40569 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40567 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-40033 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy